"Clients visiting yahoo.com received advertisements served by ads.yahoo.com," blogged Joost Bijl, Fox-IT's product manager for ProtACT, its security monitoring service. "Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on [five separate domains]."
The iFrames silently redirected the Yahoo visitors "to seemingly random subdomains" of several domains all served from a single IP address that appears to be hosted in the Netherlands. Here the visitors were served with the Magnitude exploit kit which attempted to exploit several Java exploits. If any of the exploits were successful, the victim was infected with one of a range of trojans including Zeus, Andromeda, Dorkbot, Tinba, Necurs and click fraud malware.
Magnitude is proving an increasingly popular exploit kit among cybercriminals since the arrest of Paunch, the alleged author of the Blackhole EK.
"The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier", continued Fox-IT. It updated its report, still on 3 January, with the comment, "It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem."
Fox-IT estimates that around 300,000 users visited the site every hour during the infection. "Given a typical infection rate of 9% this would result in around 27.000 infections every hour," it suggests. A second Dutch company, SurfRight, provided additional information on its Hitman blog on Sunday. It confirmed December 30 as the start of the infections. "Our systems detected the first threats associated with this malware campaign on Monday December 30th, 2013 (now 6 days ago). This means that a lot more users are infected than initially thought (4 days x 24 hours x 27,000 infections = 2.5 million infected computers)," it concluded.
At the time of writing this report, Yahoo has not published a formal statement on the issue. It has, however, released two brief statements to journalists. On Saturday it said, "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."
On Sunday it added, "On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected."